On November 4, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation filed final privacy regulations, set to take effect on March 1, 2010. The regulations as initially adopted in September 2008 had garnered concern for being more stringent than federal requirements. A second set of proposed regulations released in August 2009 addressed most of the industry’s initial concerns, but left open how the new rule would affect third-party service providers. The Office of Consumer Affairs and Business Regulation held a public hearing on September 22, 2009, which helped to clarify the rule’s impact on third-party service providers. Officials made assurances that the rule applies to the person or entity that receives the personal information directly from (or on behalf of) the customer; a person who subsequently receives that information from the original recipient is a third-party service provider. Third-party service providers need not independently comply with the rule; however, they must be capable of maintaining appropriate security measures to protect personal information consistent with the Massachusetts privacy regulations and applicable federal regulations. The rule indicates that information sharing parties must oversee third-party service providers by requiring them by contract to implement and maintain appropriate security measures for personal information. An existing contract between a third-party service provider and an information sharing party is not required to contain the information safeguard provision until March 1, 2012; however, any contract executed after March 1, 2010, must contain the provision.
A copy of the final rules can be found on the official website of the Commonwealth of Massachusetts at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.